Channels

Services

ownCloud fixes critical security vulnerabilities

The developers of the open source cloud storage and collaboration suite ownCloud have released an update to their software that closes a number of critical vulnerabilities. Version 5.0.6 of ownCloud closes holes that allowed authenticated users to inject SQL commands and execute PHP code on the server or allowed them to download other users' calendars.

Another flaw allows unauthenticated attackers to execute API commands with admin privileges by making use of cross-site request forgery (CSRF). The ownCloud server can also be misused as a spam source by turning it into an open email redirector, a problem that has also been fixed with the update. The update also fixes a number of additional, non security-related bugs; a complete list of all improvements is available on ownCloud's Change Log web page.

Because of the serious nature of the vulnerabilities, users should upgrade to ownCloud 5.0.6 as soon as possible. Some of the security vulnerabilities also affect ownCloud 4.0.x and 4.5.x, for these versions the developers have released ownCloud 4.0.15 and 4.5.11 that exclusively fix the security problems and include no further bug fixes. The updated versions of ownCloud can be downloaded from the project's web site.